As I said you usually can't. For instance Firefox has a database with
certificates from many trust anchors ( they pay to be in that database),
so when wants to validate a certificate it asks the db about it. If you have
an HTTPS server which has a self-signed certificate that isn't in Firefox's
db, than you will get an error that the certificate could not be validated.

This is because you cannot access their online ldap's or X.500 stores of
certificates only if you are their client( i bought a certificate class 4,
for application signing and they gave me user/pass to their online
repository). Even then you might have restricted access and if you
want the CAs self-signed certificate( if CA is Verisign or other root CA )
that cert you won't find in their repositories.

I would be interested too to find a way to retrieve online certificates, but I'm afraid
currently there isn't any. That's why Verisign wants to take over DNS, so that they
can distribute certs at will - ISPs are too lasy to do that.

From what I understand, you need the trust anchors certificate( eg Verisign )
so that you can check the server's certificate against the probably self-signed
Verisign certificate. It is supposed that you have already have the certificates of
CAs you trust.
If your question is how to find online a specific certificate, the simple answer is that
you usually can't.

[color=blue]
>[color=green]
> > So i want to know how will my client authenticate the server
> > since i don't have the server's root certificate?[/color]
>[color=green]
> > Thanks in Advance..[/color]
>[color=green]
> > Regards
> > Alok Bhatnagar[/color]
>
> That is completely application-dependent. The answer will depend on what
> makes the legitimate server different from an imposter.
>
> Your question is basically, "how can I detect an impostor?". And the[/color]
answer[color=blue]
> is "as opposed to what?". For example, if the question is, "how can I tell
> the real amazon.com from an impostor who doesn't control that domain?" the
> answer is to see if the server presents a certificate with 'amazon.com' in
> the common name that is signed by a CA you trust.
>
> If you don't know what CAs you trust, then you have a problem.
>
> DS
>
>
> ______________________________________________________________________
> OpenSSL Project [url]http://www.openssl.org[/url]
> User Support Mailing List [email]openssl-users@openssl.org[/email]
> Automated List Manager [email]majordomo@openssl.org[/email]
>
>[/color]

I do have to point out, no CA pays Mozilla to be in Firefox's
database. What the CA pays for is the auditing required to pass
Mozilla's criteria for inclusion in the database.

That said, my personal opinion is that the CA model is broken from the
start, and I am pushing for a way to opt out of Mozilla's root
certificate distribution without having to individually remove trust
from every CA in their database.

-Kyle H

On Fri, Jun 20, 2008 at 7:16 AM, Sendroiu Eugen <eugen_sen@yahoo.com> wrote:[color=blue]
> As I said you usually can't. For instance Firefox has a database with
> certificates from many trust anchors ( they pay to be in that database),
> so when wants to validate a certificate it asks the db about it. If you have
> an HTTPS server which has a self-signed certificate that isn't in Firefox's
> db, than you will get an error that the certificate could not be validated.
>
> This is because you cannot access their online ldap's or X.500 stores of
> certificates only if you are their client( i bought a certificate class 4,
> for application signing and they gave me user/pass to their online
> repository). Even then you might have restricted access and if you
> want the CAs self-signed certificate( if CA is Verisign or other root CA )
> that cert you won't find in their repositories.
>
> I would be interested too to find a way to retrieve online certificates, but
> I'm afraid
> currently there isn't any. That's why Verisign wants to take over DNS, so
> that they
> can distribute certs at will - ISPs are too lasy to do that.
>
> Cheers,
> Eugen.
>
>
> ----- Original Message ----
> From: AlokBhatnagar <alokb@mwti.net>
> To: [email]openssl-users@openssl.org[/email]
> Sent: Friday, June 20, 2008 4:49:55 PM
> Subject: Re: Server Authentication
>
> Hello Sendroiu,
>
> Thats what i was asking....
>
> How can i get the certificates of CAs i turst?
>
> Regards
>
> Alok Bhatnagar
>
>
>
>
>
> ----- Original Message -----
> From: Sendroiu Eugen
> To: [email]openssl-users@openssl.org[/email]
> Sent: Friday, June 20, 2008 7:12 PM
> Subject: Re: Server Authentication
> From what I understand, you need the trust anchors certificate( eg Verisign
> )
> so that you can check the server's certificate against the probably
> self-signed
> Verisign certificate. It is supposed that you have already have the
> certificates of
> CAs you trust.
> If your question is how to find online a specific certificate, the simple
> answer is that
> you usually can't.
>
> ----- Original Message ----
> From: AlokBhatnagar <alokb@mwti.net>
> To: [email]openssl-users@openssl.org[/email]
> Sent: Friday, June 20, 2008 4:02:15 PM
> Subject: Re: Server Authentication
>
> Thanks david,
>
> I know that the domain name should be same as the common name in server
> certificate which is sent by the server to the client.
>
> As I know, The SSL client verifies the server's certificate against the CA
> certificate loaded in the client.
>
> Suppose i trust Verisign CA. So my client must have Verisign CA Certificate
> in order to verify the server's certificate.
>
> So i want to ask, how will i get the CA certificate or list of CA
> certificates that i trust?
>
> Thanks
>
> Regards
> Alok Bhatnagar
>
>
> ----- Original Message -----
> From: "David Schwartz" <davids@webmaster.com>
> To: <openssl-users@openssl.org>
> Sent: Friday, June 20, 2008 6:03 PM
> Subject: RE: Server Authentication
>
>[color=green]
>>[color=darkred]
>> > So i want to know how will my client authenticate the server
>> > since i don't have the server's root certificate?[/color]
>>[color=darkred]
>> > Thanks in Advance..[/color]
>>[color=darkred]
>> > Regards
>> > Alok Bhatnagar[/color]
>>
>> That is completely application-dependent. The answer will depend on what
>> makes the legitimate server different from an imposter.
>>
>> Your question is basically, "how can I detect an impostor?". And the[/color]
> answer[color=green]
>> is "as opposed to what?". For example, if the question is, "how can I tell
>> the real amazon.com from an impostor who doesn't control that domain?" the
>> answer is to see if the server presents a certificate with 'amazon.com' in
>> the common name that is signed by a CA you trust.
>>
>> If you don't know what CAs you trust, then you have a problem.
>>
>> DS
>>
>>
>> ______________________________________________________________________
>> OpenSSL Project [url]http://www.openssl.org[/url]
>> User Support Mailing List [email]openssl-users@openssl.org[/email]
>> Automated List Manager [email]majordomo@openssl.org[/email]
>>
>>[/color]
>
>
> ______________________________________________________________________
> OpenSSL Project [url]http://www.openssl.org[/url]
> User Support Mailing List [email]openssl-users@openssl.org[/email]
> Automated List Manager [email]majordomo@openssl.org[/email]
>
>
>[/color]
______________________________________________________________________
OpenSSL Project [url]http://www.openssl.org[/url]
User Support Mailing List [email]openssl-users@openssl.org[/email]
Automated List Manager [email]majordomo@openssl.org[/email]